feat(acm): Add new check for insecure algorithms in certificates #4551
Conversation
github-actions
bot
added
the
provider/aws
| report.status = "PASS" | ||
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} meet minimum key size requirements." | ||
|
|
||
| if certificate.key_algorithm == "RSA_1024": |
There was a problem hiding this comment.
Just a comment about this, we should be able to configure the list of algorithms that are not secure enough for this check to pass.
I did not reviewed the PR but took a quick look at it. Great work 👏
There was a problem hiding this comment.
added in commit 4d9d8f3
There was a problem hiding this comment.
Maybe I was not clear enough. My point was to be able to configure the list of algorithms using Prowler configuration. You can see how could it be implemented at https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/checks/#using-the-audit-config
There was a problem hiding this comment.
Thought about it at first but I wasn't sure if that was what you was asking about. Added in commit c8d3954
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4551 +/- ##
==========================================
- Coverage 89.08% 89.07% -0.01%
==========================================
Files 910 911 +1
Lines 27741 27763 +22
==========================================
+ Hits 24713 24731 +18
- Misses 3028 3032 +4 ☔ View full report in Codecov by Sentry. |
| "ResourceType": "AwsCertificateManagerCertificate", | ||
| "Description": "Check if ACM Certificates use a secure RSA key size", | ||
| "Risk": "Certificates with weak RSA keys can be compromised.", | ||
| "RelatedUrl": "https://docs.aws.amazon.com/es_es/acm/latest/userguide/acm-certificate.html", |
There was a problem hiding this comment.
Please, can you add here the Security Hub link?
https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2
There was a problem hiding this comment.
Added in commit 74786c7
| }, | ||
| "Recommendation": { | ||
| "Text": "Ensure that all ACM certificates use RSA keys of at least 2048 bits. If any certificates use smaller keys, regenerate them with a secure key size and update any systems that rely on these certificates.", | ||
| "Url": "https://docs.aws.amazon.com/es_es/acm/latest/userguide/acm-certificate.html" |
There was a problem hiding this comment.
Here too, since the SecurityHub link also contains the Remediation.
There was a problem hiding this comment.
Added in commit 74786c7
|
What if we create a generic check regardless the algorithm? So we can use it for RSA, ECDSA or whatever. @sergargar @puchy22 @MarioRgzLpz |
All other algorithms allowed by AWS are secure, except for RSA 1024 bits, which is not considered a best practice. Creating a generic check is a good idea, as it will future-proof the system by allowing for the inclusion of new algorithms that may fall out of best practice over time. |
MarioRgzLpz
changed the title
…ength-in-certificates
| report.resource_tags = certificate.tags | ||
|
|
||
| report.status = "PASS" | ||
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} meet minimum key size requirements." |
There was a problem hiding this comment.
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} meet minimum key size requirements." | |
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a secure key algorithm." |
| { | ||
| "Provider": "aws", | ||
| "CheckID": "acm_certificates_insecure_algorithms", | ||
| "CheckTitle": "Check if ACM Certificates use a secure RSA key size", |
There was a problem hiding this comment.
| "CheckTitle": "Check if ACM Certificates use a secure RSA key size", | |
| "CheckTitle": "Check if ACM Certificates use a secure key algorithm", |
| "ResourceIdTemplate": "arn:partition:acm:region:account-id:certificate/resource-id", | ||
| "Severity": "high", | ||
| "ResourceType": "AwsCertificateManagerCertificate", | ||
| "Description": "Check if ACM Certificates use a secure RSA key size", |
There was a problem hiding this comment.
| "Description": "Check if ACM Certificates use a secure RSA key size", | |
| "Description": "Check if ACM Certificates use a secure key algorithm", |
There was a problem hiding this comment.
Can you elaborate it more? Mention for example what is considered to be a secure key algorithm :)
| "insecure_algorithms", ["RSA_1024"] | ||
| ): | ||
| report.status = "FAIL" | ||
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a not secure key length." |
There was a problem hiding this comment.
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a not secure key length." | |
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} does not use a secure key algorithm." |
| @@ -0,0 +1,32 @@ | |||
| { | |||
| "Provider": "aws", | |||
| "CheckID": "acm_certificates_insecure_algorithms", | |||
There was a problem hiding this comment.
| "CheckID": "acm_certificates_insecure_algorithms", | |
| "CheckID": "acm_certificates_with_secure_key_algorithms", |
| "ResourceType": "AwsCertificateManagerCertificate", | ||
| "Description": "Check if ACM Certificates use a secure RSA key size", | ||
| "Risk": "Certificates with weak RSA keys can be compromised.", | ||
| "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2", |
There was a problem hiding this comment.
| "RelatedUrl": "https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-2", | |
| "RelatedUrl": "https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html", |
… description to make more sense with the check.
|
@sergargar All the changes you requested done in commit 42829a3. I changed the Recommendation URL to the AWS one that guides you on how to change the algorithm on a certificate. |
| }, | ||
| "Recommendation": { | ||
| "Text": "Ensure that all ACM certificates use a secure key algorithm. If any certificates use smaller keys, regenerate them with a secure key size and update any systems that rely on these certificates.", | ||
| "Url": "https://docs.aws.amazon.com/acm/latest/userguide/gs.html" |
There was a problem hiding this comment.
Thanks for the changes @MarioRgzLpz ! However, I prefer the SecurityHub link here since we can map the check to the Security Hub one, and in that link there is the actual remediation of the check.
There was a problem hiding this comment.
Allright added in commit ca090d8
| "Severity": "high", | ||
| "ResourceType": "AwsCertificateManagerCertificate", | ||
| "Description": "Check if ACM Certificates use a secure key algorithm (RSA 2048 bits or more, or ECDSA 256 bits or more). For example certificates that use RSA_1024 can be compromised.", | ||
| "Risk": "Certificates with weak RSA or ECDSA keys can be compromised.", |
There was a problem hiding this comment.
Could you elaborate a bit on this information to make it clear why the certificates could be compromised
tests/config/config_test.py
Outdated
| @@ -262,6 +262,9 @@ def mock_prowler_get_latest_release(_, **kwargs): | |||
| ], | |||
| "check_rds_instance_replicas": False, | |||
| "days_to_expire_threshold": 7, | |||
| "insecure_algorithms": [ | |||
There was a problem hiding this comment.
| "insecure_algorithms": [ | |
| "insecure_key_algorithms": [ |
tests/config/fixtures/config.yaml
Outdated
| @@ -271,6 +271,11 @@ aws: | |||
| # AWS ACM Configuration | |||
| # aws.acm_certificates_expiration_check | |||
| days_to_expire_threshold: 7 | |||
| # aws.acm_certificates_rsa_key_length | |||
| insecure_algorithms: | |||
There was a problem hiding this comment.
| insecure_algorithms: | |
| insecure_key_algorithms: |
…e config, add some details in the description and risk in the metadata and rename the service methods to comply with Python convention
…gorithms including ECDSA and all key size RSA
…pped KeyAlgorithm_Size to KeyAlgorithm-Size as this is the format in which certificates are returned
…-for-rsa-key-length-in-certificates
| report.resource_tags = certificate.tags | ||
|
|
||
| report.status = "PASS" | ||
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} uses a secure key algorithm." |
There was a problem hiding this comment.
Can you add in the status extended the key algorithm at the end within parenthesis, please?
| "insecure_algorithms", ["RSA-1024"] | ||
| ): | ||
| report.status = "FAIL" | ||
| report.status_extended = f"ACM Certificate {certificate.id} for {certificate.name} does not use a secure key algorithm." |
…-for-rsa-key-length-in-certificates
…audit_config key format in the tests
|
@sergargar All done here cf645a7 |
Context
In order to enhance the security measures and ensure compliance with best practices in cryptographic operations, we are introducing a new check within the AWS Certificate Manager (ACM) framework. This new check specifically focuses on verifying that the algorithm used in the certificate is secure enough. By default it will check that RSA_1024 is not used as it is not considered a best practice. Algorithms chosen as insecure can be configured by the user to allow them to harden the certificates.
Description
I added
acm_certificates_with_secure_key_algorithmscheck with his respective unit test. In order to do the check I modified theacm_servicemodelCertificateadding the key_algorithm as str. I also modified the config.yaml to add the new insecure_algorithms parameter.License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.